add gitea tests

seed/dns-local/tests/mookdns.py

@@ -0,0 +1,44 @@
+import socket
+from shutil import copyfile, move
+from os import remove
+from os.path import isfile
+
+
+class MookDns:
+    # Monkey patch to force IPv4 resolution
+    def __init__(self, ip):
+        self.ip = ip
+
+    def __enter__(self):
+        self.old_getaddrinfo = socket.getaddrinfo
+        def new_getaddrinfo(*args, **kwargs):
+            ret = self.old_getaddrinfo(*args, **kwargs)
+            dns = list(ret[0])
+            dns[-1] = (self.ip, dns[-1][1])
+            return [dns]
+        socket.getaddrinfo = new_getaddrinfo
+        return self
+
+    def __exit__(self, exc_type, exc, tb):
+        socket.getaddrinfo = self.old_getaddrinfo
+
+
+class MookDnsSystem:
+    # Monkey patch to force IPv4 resolution
+    def __init__(self, dns, ip):
+        self.dns = dns
+        self.ip = ip
+
+    def __enter__(self):
+        if not isfile('/etc/hosts.risotto'):
+            copyfile('/etc/hosts', '/etc/hosts.risotto')
+        with open('/etc/hosts.risotto', 'r') as risotto:
+            with open('/etc/hosts', 'w') as hosts:
+                for line in risotto.readlines():
+                    if self.dns not in line:
+                        hosts.write(line)
+                hosts.write(f'{self.ip}  {self.dns}')
+
+    def __exit__(self, exc_type, exc, tb):
+        remove('/etc/hosts')
+        move('/etc/hosts.risotto', '/etc/hosts')

seed/dovecot/templates/imap.yml

@@ -4,7 +4,7 @@
 address: %%ip_eth0
 dns: %%domain_name_eth0
 username: %%username
-password: %%get_password(server_name=%%ldap_server_address, username=%%username, description="ldap user", type="cleartext", hide=%%hide_secret, temporary=True)
+password: %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
 username_family: %%username_family
-password_family: %%get_password(server_name=%%ldap_server_address, username=%%username_family, description="ldap family user", type="cleartext", hide=%%hide_secret, temporary=True)
+password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 name_family: %%name_family

seed/dovecot/tests/test_imap.py

@@ -10,8 +10,8 @@ from smtplib import SMTP, SMTPNotSupportedError, SMTPAuthenticationError
 conf_file = f'{environ["MACHINE_TEST_DIR"]}/imap.yml'
 with open(conf_file) as yaml:
     data = load(yaml, Loader=SafeLoader)
-parameters = (('user', data['username'], data['password']),
+parameters = (('user', data['username'], [data['password']]),
-              ('family', data['username_family'], data['password_family'] + "2"),
+              ('family', data['username_family'], [data['password_family'], data['password_family'] + "2"]),
               )
 
 
@@ -19,8 +19,8 @@ def get_msg(username, msg='MESSAGE'):
     return f'From: {username}\r\nTo: {username}\r\n\r\nSubject: TEST\r\n{msg}\r\n'
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_wrong_password(typ, username, password):
+def test_imap_wrong_password(typ, username, passwords):
     imap = IMAP4_SSL(data['address'])
     try:
         imap.LOGIN(username, 'b')
@@ -30,17 +30,33 @@ def test_imap_wrong_password(typ, username, password):
         raise Exception('wrong login !')
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_migration(typ, username, password):
+def test_imap_migration(typ, username, passwords):
     msg = get_msg(username, 'MIGRATION')
     if 'FIRST_RUN' in environ:
         smtp = SMTP(data['address'], '587')
         smtp.starttls()
-        smtp.login(username, password)
+        error = None
+        for password in passwords:
+            try:
+                smtp.login(username, password)
+                break
+            except SMTPAuthenticationError as err:
+                error = err
+        else:
+            raise error from error
         smtp.sendmail(username, username, msg)
         smtp.quit()
     imap = IMAP4_SSL(data['address'])
-    imap.LOGIN(username, password)
+    error = None
+    for password in passwords:
+        try:
+            imap.LOGIN(username, password)
+            break
+        except Exception as err:
+            error = err
+    else:
+        raise error from error
     imap.SELECT(readonly=True)
     typ, req = imap.SEARCH(None, 'ALL')
     assert typ == 'OK'
@@ -53,49 +69,67 @@ def test_imap_migration(typ, username, password):
     imap.LOGOUT()
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_no_tls(typ, username, password):
+def test_smtp_no_tls(typ, username, passwords):
     smtp = SMTP(data['address'], '587')
-    try:
+    with pytest.raises(SMTPNotSupportedError):
-        smtp.login(username, password)
+        smtp.login(username, passwords[0])
-        raise Exception('no tls!')
-    except SMTPNotSupportedError:
-        pass
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_wrong_passwd(typ, username, password):
+def test_smtp_wrong_passwd(typ, username, passwords):
     smtp = SMTP(data['address'], '587')
     smtp.starttls()
-    try:
+    with pytest.raises(SMTPAuthenticationError):
         smtp.login(username, 'a')
-        raise Exception('wrong password!')
-    except SMTPAuthenticationError:
-        pass
     smtp.quit()
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_login(typ, username, password):
+def test_smtp_login(typ, username, passwords):
     smtp = SMTP(data['address'], '587')
     smtp.starttls()
-    smtp.login(username, password)
+    error = None
+    for password in passwords:
+        try:
+            smtp.login(username, password)
+            break
+        except SMTPAuthenticationError as err:
+            error = err
+    else:
+        raise error from error
     smtp.quit()
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_sendmail(typ, username, password):
+def test_smtp_sendmail(typ, username, passwords):
     smtp = SMTP(data['address'], '587')
     smtp.starttls()
-    smtp.login(username, password)
+    error = None
+    for password in passwords:
+        try:
+            smtp.login(username, password)
+            break
+        except SMTPAuthenticationError as err:
+            error = err
+    else:
+        raise error from error
     smtp.sendmail(username, username, get_msg(username))
     smtp.quit()
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_read_mail(typ, username, password):
+def test_imap_read_mail(typ, username, passwords):
     imap = IMAP4_SSL(data['address'])
-    imap.LOGIN(username, password)
+    error = None
+    for password in passwords:
+        try:
+            imap.LOGIN(username, password)
+            break
+        except Exception as err:
+            error = err
+    else:
+        raise error from error
     imap.SELECT(readonly=True)
     typ, req = imap.SEARCH(None, 'ALL')
     assert typ == 'OK'
@@ -111,10 +145,18 @@ def test_imap_read_mail(typ, username, password):
     imap.LOGOUT()
 
 
-@pytest.mark.parametrize('typ, username, password', parameters)
+@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_delete_mail(typ, username, password):
+def test_imap_delete_mail(typ, username, passwords):
     imap = IMAP4_SSL(data['address'])
-    imap.LOGIN(username, password)
+    error = None
+    for password in passwords:
+        try:
+            imap.LOGIN(username, password)
+            break
+        except Exception as err:
+            error = err
+    else:
+        raise error from error
     imap.SELECT()
     typ, req = imap.SEARCH(None, 'ALL')
     msg_no = req[0].split()

seed/gitea/DEBUG.md

@@ -3,5 +3,8 @@ Créer un utilisateur
 
 su - gitea -s /bin/bash -c "gitea admin user create --username gnunux --password Njw_csh7DeeZtWDxC6WVXDdB-9A --email gnunux@gnunux.info --admin -c /etc/gitea/app.ini"
 
+DEBUG
+=====
 
-
+sed -i 's/info/debug/g' /etc/gitea/app.ini 
+systemctl restart gitea

seed/gitea/dictionaries/31_gitea.xml

@@ -6,6 +6,7 @@
       <file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
       <file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
       <file>/etc/gitea/app.ini</file>
+      <file>/tests/gitea.yml</file>
     </service>
   </services>
   <variables>

seed/gitea/templates/gitea.service

@@ -16,7 +16,7 @@ User=gitea
 Group=gitea
 WorkingDirectory=/srv/gitea/lib/
 ExecStart=/usr/bin/gitea web --config /etc/gitea/app.ini
-ExecStartPost=-/usr/bin/timeout 90 bash -c 'while ! /usr/bin/gitea admin auth list --config /etc/gitea/app.ini | grep "OAuth2"; do echo "TRY TO CONFIGURE"; /usr/bin/gitea admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/gitea/app.ini; sleep 2; done; echo "CONFIGURATION DONE"'
+ExecStartPre=-/bin/bash -c 'if /usr/bin/gitea admin auth list --config /etc/gitea/app.ini | grep "OAuth2"; then echo "UPDATE";id=$(/usr/bin/gitea --config /etc/gitea/app.ini admin auth list |tail -n 1|awk "{ print \$1}");/usr/bin/gitea admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/gitea/app.ini;else echo "CONFIGURE"; /usr/bin/gitea admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/gitea/app.ini;fi;sleep 2; echo "CONFIGURATION DONE"'
 Restart=always
 Environment=USER=gitea HOME=/srv/gitea/home GITEA_WORK_DIR=/srv/gitea/lib
 

seed/gitea/templates/gitea.yml

@@ -0,0 +1,9 @@
+%set %%username="rougail_test@silique.fr"
+ip: %%ip_eth0
+revprox_ip: %%revprox_client_server_ip
+base_url: https://%%revprox_client_external_domainname%%revprox_client_location[0]
+auth_url: %%oauth2_client_external[0]
+auth_server: %%oauth2_server_domainname
+username: %%username
+password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
+gitea_title: "%%gitea_title"

seed/gitea/tests/test_gitea.py

@@ -0,0 +1,226 @@
+from yaml import load, SafeLoader
+from os import environ, makedirs
+from os.path import expandvars, isfile, isdir, dirname, join
+from re import search
+from dulwich.porcelain import init, clone, add, commit, push
+
+from tempfile import TemporaryDirectory
+from subprocess import run
+
+
+from revprox import Authentication
+from mookdns import MookDnsSystem
+
+
+PORT = '3000'
+GITEA_USERNAME = 'gitea'
+KEY_FILE = expandvars("$HOME/tests/risotto")
+
+
+AUTHENTICATION = None
+DATA = None
+
+
+def get_data():
+    global DATA
+    if not DATA:
+        conf_file = f'{environ["MACHINE_TEST_DIR"]}/gitea.yml'
+        with open(conf_file) as yaml:
+            DATA = load(yaml, Loader=SafeLoader)
+    return DATA
+
+
+def get_authentication(data):
+    global AUTHENTICATION
+    if not AUTHENTICATION:
+        AUTHENTICATION = Authentication(data['auth_url'],
+                                        data['auth_server'],
+                                        data['revprox_ip'],
+                                        data['username'],
+                                        data['password'],
+                                        f'<title>{data["username"]} - Dashboard -  {data["gitea_title"]}</title>',
+                                        )
+    return AUTHENTICATION
+
+
+def get_info(authentication,
+             url,
+             with_uid=False,
+             with_data_id=False,
+             found_string=None
+             ):
+    # <input type="hidden" name="_csrf" value="YQbVgdYHX_3VQ-KuZ5cKtr9RzXE6MTY1NzgxMzUzNTA0OTYwODQ0NQ">
+    pattern_csrf = r'name="_csrf" value="([a-zA-Z0-9\-\_=]+)"'
+    ret = authentication.get(url)
+    csrf = search(pattern_csrf, ret)[1]
+    ret_data = []
+    if with_uid:
+        pattern_uid = r'input type="hidden" id="uid" name="uid" value="(\d)+"'
+        uid = search(pattern_uid, ret)
+        if uid is None:
+            ret_data.append(uid)
+        else:
+            ret_data.append(uid[1])
+    if with_data_id:
+        pattern_uid = r'/user/settings/keys/delete?type=ssh" data-id="(\d)+"'
+        uid = search(pattern_uid, ret)
+        if uid is None:
+            ret_data.append(uid)
+        else:
+            ret_data.append(uid[1])
+    if found_string:
+        ret_data.append(found_string in ret)
+    ret_data.append(csrf)
+    if len(ret_data) == 1:
+        return ret_data[0]
+    return ret_data
+
+
+def add_ssh_key(authentication, data):
+    # Send key to gitea
+    url = f'{data["base_url"]}user/settings/keys'
+    is_already_key, csrf = get_info(authentication, url, found_string='test_key_risotto')
+    if is_already_key:
+        return
+    # Gen SSH key if needed
+    if not isfile(KEY_FILE):
+        key_dir = dirname(KEY_FILE)
+        if not isdir(key_dir):
+            makedirs(key_dir)
+        cmd = ['/usr/bin/ssh-keygen', '-N', '', '-f', KEY_FILE]
+        run(cmd)
+    with open(f'{KEY_FILE}.pub') as fh:
+        key = fh.read()
+    authentication.post(url, {'_csrf': csrf, 'title': 'test_key_risotto', 'content': key, 'type': 'ssh'})
+
+
+def delete_ssh_key(authentication, data):
+    url = f'{data["base_url"]}user/settings/keys'
+    is_already_key, csrf = get_info(authentication, url, found_string='test_key_risotto')
+    if is_already_key:
+        uid, csrf = get_info(authentication, url, with_data_id=True)
+        url = f'{data["base_url"]}user/settings/keys/delete?type=ssh'
+        authentication.post(url, {'_csrf': csrf, 'id': uid})
+    is_already_key, csrf = get_info(authentication, url, found_string='test_key_risotto')
+
+
+def test_gitea():
+    data = get_data()
+    get_authentication(data)
+
+
+def test_gitea_repos():
+    data = get_data()
+    authentication = get_authentication(data)
+    if 'FIRST_RUN' in environ:
+        url = f'{data["base_url"]}repo/create'
+        uid, csrf = get_info(authentication, url, with_uid=True)
+        authentication.post(url, {'_csrf': csrf, 'uid': uid, 'repo_name': 'test_persistent'})
+    url = f'{data["base_url"]}api/v1/repos/search?sort=updated&order=desc&uid=1&team_id=0&q=&page=1&mode='
+    json = authentication.get(url, json=True)
+    assert json['ok']
+    assert len(json['data']) == 1
+    username = data['username'].split('@', 1)[0]
+    assert json['data'][0]['full_name'] == f'{username}/test_persistent'
+
+
+def test_gitea_create_repo():
+    data = get_data()
+    authentication = get_authentication(data)
+    url = f'{data["base_url"]}repo/create'
+    uid, csrf = get_info(authentication, url, with_uid=True)
+    authentication.post(url, {'_csrf': csrf, 'uid': uid, 'repo_name': 'test', 'default_branch': 'main'})
+    url = f'{data["base_url"]}api/v1/repos/search?sort=updated&order=desc&uid=1&team_id=0&q=&page=1&mode='
+    json = authentication.get(url, json=True)
+    assert json['ok']
+    assert len(json['data']) == 2
+    username = data['username'].split('@', 1)[0]
+    assert {dat['full_name'] for dat in json['data']} == set([f'{username}/test_persistent', f'{username}/test'])
+
+
+def test_repo():
+    data = get_data()
+    authentication = get_authentication(data)
+    if 'FIRST_RUN' in environ:
+    #    delete_ssh_key(authentication, data)
+        add_ssh_key(authentication, data)
+    with TemporaryDirectory() as tmpdirname:
+        username = data['username'].split('@', 1)[0]
+        dns = data['base_url'].split('/', 3)[2]
+        ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:2222/{username}/test.git'
+        with MookDnsSystem(dns, data['ip']):
+            filename = join(tmpdirname, 'test.txt')
+            with open(filename, 'w') as fh:
+                fh.write('test')
+            repo = init(tmpdirname)
+            add(repo, filename)
+            commit(repo, message=b'test commit')
+            push(repo=repo,
+                 remote_location=ssh_url,
+                 refspecs='master',
+            )
+            lst = list(repo.get_walker())
+            assert len(lst) == 1
+            assert lst[0].commit.message == b'test commit'
+
+
+def test_clone_http():
+    data = get_data()
+    authentication = get_authentication(data)
+    if 'FIRST_RUN' in environ:
+    #    delete_ssh_key(authentication, data)
+        add_ssh_key(authentication, data)
+    with TemporaryDirectory() as tmpdirname:
+        username = data['username'].split('@', 1)[0]
+        dns = data['base_url'].split('/', 3)[2]
+        http_url = f'{data["base_url"]}{username}/test.git'
+        with MookDnsSystem(dns, data['revprox_ip']):
+            repo = clone(http_url, tmpdirname)
+            lst = list(repo.get_walker())
+            assert len(lst) == 1
+            assert lst[0].commit.message == b'test commit'
+
+
+def test_gitea_delete_repo():
+    repo_name = 'test'
+    data = get_data()
+    authentication = get_authentication(data)
+    username = data['username'].split('@', 1)[0]
+    url = f'{data["base_url"]}{username}/{repo_name}/settings'
+    csrf = get_info(authentication, url)
+    authentication.post(url, {'_csrf': csrf, 'action': 'delete', 'repo_name': repo_name})
+    url = f'{data["base_url"]}api/v1/repos/search?sort=updated&order=desc&uid=1&team_id=0&q=&page=1&mode='
+    json = authentication.get(url, json=True)
+    assert json['ok']
+    assert len(json['data']) == 1
+    username = data['username'].split('@', 1)[0]
+    assert json['data'][0]['full_name'] == f'{username}/test_persistent'
+
+
+def test_repo_persistent():
+    data = get_data()
+    authentication = get_authentication(data)
+    if 'FIRST_RUN' in environ:
+    #    delete_ssh_key(authentication, data)
+        add_ssh_key(authentication, data)
+    with TemporaryDirectory() as tmpdirname:
+        username = data['username'].split('@', 1)[0]
+        dns = data['base_url'].split('/', 3)[2]
+        ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:2222/{username}/test_persistent.git'
+        with MookDnsSystem(dns, data['ip']):
+            if 'FIRST_RUN' in environ:
+                filename = join(tmpdirname, 'test.txt')
+                with open(filename, 'w') as fh:
+                    fh.write('test')
+                repo = init(tmpdirname)
+                add(repo, filename)
+                commit(repo, message=b'test commit')
+                push(repo=repo,
+                     remote_location=ssh_url,
+                     refspecs='master',
+                )
+            else:
+                repo = clone(ssh_url, tmpdirname)
+            lst = list(repo.get_walker())
+            assert len(lst) == 1
+            assert lst[0].commit.message == b'test commit'

seed/lemonldap/templates/lmConf-1.json

@@ -167,6 +167,7 @@ commentStartToken = §
    "portalDisplayResetPassword": 0,
    "portalMainLogo": "risotto/logo.png",
    "showLanguages": 0,
+   "requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
    "whatToTrace" : "_whatToTrace",
 %set %%remotes = {}
 %for %%index, %%app in %%enumerate(%%oauth2.remotes)

seed/nginx-reverse-proxy/tests/test_revprox.py

@@ -16,7 +16,12 @@ def req(url, ip, verify=True):
         dns[-1] = (ip, dns[-1][1])
         return [dns]
     socket.getaddrinfo = new_getaddrinfo
-    ret = get(url, verify=verify)
+    if not verify:
+        with warnings.catch_warnings():
+            warnings.simplefilter("ignore")
+            ret = get(url, verify=verify)
+    else:
+        ret = get(url, verify=verify)
     ret_code = ret.status_code
     content = ret.content
     socket.getaddrinfo = old_getaddrinfo
@@ -29,9 +34,7 @@ def test_revprox():
         data = load(yaml, Loader=SafeLoader)
     # test unknown domain
     url = 'google.fr'
-    with warnings.catch_warnings():
+    ret_code, content = req(f'https://{url}', data['address'], verify=False)
-        warnings.simplefilter("ignore")
-        ret_code, content = req(f'https://{url}', data['address'], verify=False)
     assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
     assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'https://{url} returns default fedora page'
     # test certificate

seed/openldap/DEBUG.md

@@ -27,4 +27,8 @@ grep ldapAgentPassword /etc/nextcloud/nextcloud.init
 
 Search information with standard user:
 
-ldapsearch -D cn=gnunux@gnunux.info,ou=users,ou=in,o=gnunux,o=info -w "1vCE09NRW2kxHIpf1PkehOS9bSLZual82saHSBj9RPM" -b cn=gnunux@gnunux.info,ou=users,ou=in,o=gnunux,o=info
+ldapsearch -D cn=admin,ou=in,o=gnunux,o=info -w "1vCE09NRW2kxHIpf1PkehOS9bSLZual82saHSBj9RPM" -b cn=gnunux@gnunux.info,ou=users,ou=in,o=gnunux,o=info
+
+# Delete User
+
+ldapdelete -D cn=gnunux@gnunux.info,ou=users,ou=in,o=gnunux,o=info -y /usr/local/lib/secrets/admin_ldap.pwd cn=rougail_test@gnunux.info,ou=in,o=gnunux,o=info

seed/openldap/templates/openldap.yml

@@ -1,13 +1,16 @@
 %set %%username = "rougail_test@silique.fr"
 %set %%username_family = "rougail_test@gnunux.info"
-%set %%familydn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
+%set %%name_family = 'gnunux'
+%set %%familydn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
+%set %%userdn = 'cn=' + %%username + ',' +  %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
+%set %%userfamilydn = 'cn=' + %%username_family + ',' + %%familydn
 address: %%ip_eth0
 admin_dn: %%ldapclient_user
 admin_password: %%ldapclient_user_password
-user_dn: cn=%%username,%%ldap_user_dn
+user_dn: %%userdn
-user_password: %%get_password(server_name=%%ldap_server_address, username=%%username, description="ldap user", type="cleartext", hide=%%hide_secret, temporary=True)
+user_password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-user_family_dn: cn=%%username_family,%%familydn
+user_family_dn: %%userfamilydn
-user_family_password: %%get_password(server_name=%%ldap_server_address, username=%%username_family, description="ldap family user", type="cleartext", hide=%%hide_secret, temporary=True)
+user_family_password: %%get_password(server_name='test', username=%%username_family, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
 base_account_dn: %%ldap_account_dn
 base_user_dn: %%ldap_user_dn
 base_family_dn: %%familydn
@@ -18,6 +21,8 @@ remote%%idx: cn=%%name,%%ldapclient_base_dn
 remote_password%%idx: %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)
 %end for
 users:
+  %%username: %%userdn
+  %%username_family: %%userfamilydn
 %for %%user in %%accounts.users.ldap_user_mail
   %%user: cn=%%user,%%ldap_user_dn
 %end for
@@ -29,11 +34,15 @@ users:
 %end for
 groups:
   users:
+    - %%userdn
 %for %%user in %%accounts.users.ldap_user_mail
     - cn=%%user,%%ldap_user_dn
 %end for
 %for %%family in %%accounts.families
   %%family:
+  %if %%family == %%name_family
+    - %%userfamilydn
+  %end if
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
     - cn=%%user,%%families
   %end for

seed/openldap/templates/users.ldif

@@ -1,4 +1,6 @@
-%set name_family = 'gnunux'
+%set %%username="rougail_test@silique.fr"
+%set %%username_family="rougail_test@gnunux.info"
+%set %%name_family="gnunux"
 # BaseDN
 %set groups = {}
 dn: %%ldapclient_base_dn
@@ -44,30 +46,17 @@ ou: users
 objectClass: top
 objectClass: organizationalUnit
 
+%set %%userdn = 'cn=' + %%username + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
+%set %%userfamilydn = 'cn=' + %%username_family + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
+%set %%acc = [(%%userdn, %%username, %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True), 'Rougail', 'Test', 'rougail_test', [], 'users'),
+              (%%userfamilydn, %%username_family, %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True), 'Rougail', 'Test', 'rougail_test_gnunux', [], %%name_family),
+              ]
+%set %%groups['users'] = [%%userdn]
+%set %%groups[%%name_family] = [%%userfamilydn]
 %for %%user in %%accounts.users.ldap_user_mail
 %set %%userdn = "cn=" + %%user + "," + %%users
-%%groups.setdefault('users', []).append(%%userdn)
+%%acc.append((%%userdn, %%user, %%user.ldap_user_password, %%user.ldap_user_sn, %%user.ldap_user_gn, %%user.ldap_user_uid, %%user.ldap_user_aliases, 'users'))%slurp
-dn: %%userdn
+%%groups.setdefault('users', []).append(%%userdn)%slurp
-cn: %%user
-mail: %%user
-sn: %%user.ldap_user_sn
-givenName: %%user.ldap_user_gn
-uid: %%user.ldap_user_uid
-userPassword:: %%ssha_encode(%%user.ldap_user_password)
-homeDirectory: /srv/home/users/%%user
-mailLocalAddress: %%user
-  %if %%user.ldap_user_aliases
-    %for %%alias in %%user.ldap_user_aliases
-mailLocalAddress: %%alias
-    %end for
-  %end if
-uidNumber: 0
-gidNumber: 0
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: posixAccount
-objectClass: inetLocalMailRecipient
-
 %end for
 ## Families
 dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='-')
@@ -84,21 +73,53 @@ objectClass: organizationalUnit
 
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
 %set %%userdn = "cn=" + %%user + "," + %%families
-%%groups.setdefault(%%family, []).append(%%userdn)
+%%groups.setdefault(%%family, []).append(%%userdn)%slurp
+%%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
+#pouet
+#dn: %%userdn
+#cn: %%user
+#mail: %%user
+#sn: 
+#givenName: 
+#uid: 
+#userPassword:: %%ssha_encode()
+#homeDirectory: /srv/home/families/%%family/%%user
+#mailLocalAddress: %%user
+#    %if %%user['ldap_user_aliases_' + %%family]
+#      %for %%alias in 
+#mailLocalAddress: %%alias
+#      %end for
+#    %end if
+#uidNumber: 0
+#gidNumber: 0
+#objectClass: top
+#objectClass: inetOrgPerson
+#objectClass: posixAccount
+#objectClass: inetLocalMailRecipient
+#
+#  %end for
+#%end for
+  %end for
+%end for
+%for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc
 dn: %%userdn
 cn: %%user
 mail: %%user
-sn: %%user['ldap_user_sn_' + %%family]
+sn: %%sn
-givenName: %%user['ldap_user_gn_' + %%family]
+givenName: %%gn
-uid: %%user['ldap_user_uid_' + %%family]
+uid: %%uid
-userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
+userPassword:: %%ssha_encode(%%password)
+%if %%family == 'users'
+homeDirectory: /srv/home/users/%%user
+%else
 homeDirectory: /srv/home/families/%%family/%%user
+%end if
 mailLocalAddress: %%user
-    %if %%user['ldap_user_aliases_' + %%family]
+  %if %%aliases
-      %for %%alias in %%user['ldap_user_aliases_' + %%family]
+    %for %%alias in %%aliases
 mailLocalAddress: %%alias
-      %end for
+    %end for
-    %end if
+  %end if
 uidNumber: 0
 gidNumber: 0
 objectClass: top
@@ -106,7 +127,6 @@ objectClass: inetOrgPerson
 objectClass: posixAccount
 objectClass: inetLocalMailRecipient
 
-  %end for
 %end for
 ## Groups
 %set %%groupdn = %%ldap_group_dn

seed/openldap/templates/users_mod.ldif

@@ -1,4 +1,6 @@
-%set groups = {}
+%set %%username="rougail_test@silique.fr"
+%set %%username_family="rougail_test@gnunux.info"
+%set %%name_family="gnunux"
 # Remote
 %set %%acc = []
 %for %%idx in %%range(3)
@@ -17,30 +19,29 @@ userPassword:: %%ssha_encode(%%password)
 
 %end for
 # Users
+%set %%userdn = 'cn=' + %%username + ',' + %%ldapclient_base_dn
+%set %%userfamilydn = 'cn=' + %%username_family + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
+%set %%acc = [(%%userdn, %%username, ['alias_' + %%username]),
+              (%%userfamilydn, %%username_family, ['alias_' + %%username_family]),
+              ]
+%set groups = {'users': [%%userdn],
+               %%name_family: [%%userfamilydn],
+			   }
 %set %%users = %%ldap_user_dn
 %for %%user in %%accounts.users.ldap_user_mail
 %set %%userdn = 'cn=' + %%user + ',' + %%users
-%%groups.setdefault('users', []).append(%%userdn)%slurp
+%%groups['users'].append(%%userdn)%slurp
-dn: %%userdn
+%%acc.append((%%userdn, %%user, %%user.ldap_user_aliases))%slurp
-changetype: modify
-#add: objectClass
-#objectClass: inetLocalMailRecipient
-#-
-replace: mailLocalAddress
-mailLocalAddress: %%user
-  %if %%user.ldap_user_aliases
-    %for %%alias in %%user.ldap_user_aliases
-mailLocalAddress: %%alias
-    %end for
-  %end if
-
 %end for
-# Families
 %for %%family in %%accounts.families
   %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
 %set %%userdn = 'cn=' + %%user + ',' + %%families
 %%groups.setdefault(%%family, []).append(%%userdn)%slurp
+%%acc.append((%%userdn, %%user, %%user['ldap_user_aliases_' + %%family]))%slurp
+  %end for
+%end for
+%for %%userdn, %%user, %%aliases in %%acc
 dn: %%userdn
 changetype: modify
 #add: objectClass
@@ -48,13 +49,12 @@ changetype: modify
 #-
 replace: mailLocalAddress
 mailLocalAddress: %%user
-    %if %%user['ldap_user_aliases_' + %%family]
+  %if %%aliases
-      %for %%alias in %%user['ldap_user_aliases_' + %%family]
+    %for %%alias in %%aliases
 mailLocalAddress: %%alias
-      %end for
+    %end for
-    %end if
+  %end if
 
-  %end for
 %end for
 # Groups
 %set %%groupdn = %%ldap_group_dn

seed/reverse-proxy-client/tests/revprox.py

@@ -0,0 +1,84 @@
+from requests import get, post, session
+from mookdns import MookDns
+
+
+class Authentication:
+    def __init__(self,
+                 auth_url,
+                 portal_server,
+                 ip,
+                 username,
+                 password,
+                 title,
+                 ):
+        self.ip = ip
+        with session() as req:
+            with MookDns(self.ip):
+                self.is_lemonldap(req,
+                                  auth_url,
+                                  )
+                self.auth_lemonldap(req,
+                                    portal_server,
+                                    username,
+                                    password,
+                                    title,
+                                    )
+            self.cookies = dict(req.cookies)
+
+#    @staticmethod
+    def is_lemonldap(self,
+                     req,
+                     url,
+                     ):
+        ret = req.get(url)
+        code = ret.status_code
+        content = ret.content
+        assert code == 200
+        assert b'<title trspan="authPortal">Authentication portal</title>' in content
+
+    def auth_lemonldap(self,
+                       req,
+                       portal_server,
+                       username,
+                       password,
+                       title,
+                       ):
+        # authentification
+        json = {'user': username,
+                'password': password,
+                }
+        headers = {"Content-Type": "application/x-www-form-urlencoded",
+                   "Accept": "application/json",
+                   }
+        portal_url = f'https://{portal_server}/oauth2/'
+        ret = req.post(portal_url, data=json, headers=headers)
+        json = ret.json()
+        assert json['error']
+        assert json['result'] == 1
+        assert json['id'] == ret.cookies.get('lemonldap')
+        # authorization code
+        # curl -X POST -d user=dwho -d password=dwho -H 'Accept: application/json' 'https://oidctest.wsweet.org/oauth2/'
+        # curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/authorize?response_type=code&client_id=private&scope=openid+profile+email&redirect_uri=http://localhost' | grep '^location'
+        authorize_url = f'{portal_url}authorize'
+        ret = req.get(authorize_url)
+        assert ret.status_code == 200
+        assert title in ret.content.decode()
+
+    def get(self,
+            url,
+            json=False,
+            ):
+        with MookDns(self.ip):
+            ret = get(url, cookies=self.cookies)
+        assert ret.status_code == 200, f'return code is {ret.status_code}'
+        if json:
+            return ret.json()
+        return ret.content.decode()
+
+    def post(self,
+             url,
+             data,
+             ):
+        with MookDns(self.ip):
+            ret = post(url, cookies=self.cookies, data=data)
+        assert ret.status_code == 200, f'return code is {ret.status_code}'